20170118-erou06 routingregistry-el2 · 2017. 1. 17. · title: 20170118-erou06_routingregistry-el2...
TRANSCRIPT
1/18/17
1
Issue Date:
Revision:
APNIC eLearning:Internet Routing Registry18 January 201701:00 PM AEST Brisbane (UTC+10)
02 July 2016
1.0
Introduction
• Presenter
• Reminder: Please take time to fill-up the survey
Sheryl HermosoTraining [email protected]
Specialties: Network SecurityIPv6 DNS/DNSSECInternet Resource Mgmt
2
1/18/17
2
Overview
• What is Routing Policy• IRR Database & Objects• Routing policy documentation in IRR database
• RPSL (Routing Policy Specification Language)• IRRToolSet to generate router configuration
3
Routing Policy
• Public description of the relationship between external BGP peers
• Can also describe internal BGP peer relationship
• Usually registered at an IRR (Internet Routing Registry) such as RADB or APNIC
4This document is uncontrolled when printed. Before use, check the APNIC electronic master
document to verify that this is the current version.
1/18/17
3
Routing Policy
• Who are my BGP peers • What routes are
– Originated by a peer– Imported from each peer– Exported to each peer– Preferred when multiple routes exist
• What to do if no route exists
5This document is uncontrolled when printed. Before use, check the APNIC electronic master
document to verify that this is the current version.
Why define a Routing Policy
• Documentation • Provides routing security
– Can peer originate the route?– Can peer act as transit for the route?
• Allows automatic generation of router configurations
• Provides a debugging aid– Compare policy versus reality
6This document is uncontrolled when printed. Before use, check the APNIC electronic master
document to verify that this is the current version.
1/18/17
4
The Internet Routing Registry (IRR)
• Number of public databases that contain routing policy information which mirror each other:– APNIC, RIPE, RADB, JPIRR, Level3– http://www.irr.net/
• Stability and consistency of routing – network operators share information
• Both public and private databases • These databases are independent – but some exchange
data– only register your data in one database
• List of Routing Registry– http://www.irr.net/docs/list.html
7This document is uncontrolled when printed. Before use, check the APNIC electronic master
document to verify that this is the current version.
The Internet Routing Registry (IRR)
• IRRs are used in at least three distinct ways– To publish your own routing intentions– To construct and maintain routing filters and router configurations– Diagnostic and information service for more general network
management
8This document is uncontrolled when printed. Before use, check the APNIC electronic master
document to verify that this is the current version.
1/18/17
5
IRR Objects query
9This document is uncontrolled when printed. Before use, check the APNIC electronic master
document to verify that this is the current version.
• whois query from cli
• You can search from APNIC website alsowhois -h whois.apnic.net 2406:6400::/32
IRR objects query flags
10This document is uncontrolled when printed. Before use, check the APNIC electronic master
document to verify that this is the current version.
• IRR supports a number of flag option– ! RADB Query Flags– - RIPE/BIRD Query Flags
• -i flags for inverse query– whois -h whois.apnic.net -i mnt-by MAINT-AU-APNICTRAINING[All the objects with a matching mnt-by attribute]
– whois -h whois.apnic.net -i origin as17821[route and route6 objects with a matching origin attribute]
• -q flag for Informational queries– whois -h whois.apnic.net -q sources
[list of sources]
whois -h whois.apnic.net -i mnt-by MAINT-AU-APNICTRAINING
whois -h whois.apnic.net -i origin as17821
whois -h whois.apnic.net -q sources
1/18/17
6
IRR objects query flags
11This document is uncontrolled when printed. Before use, check the APNIC electronic master
document to verify that this is the current version.
• -K flags for primary keys of an object are returned– whois -h whois.apnic.net -K 2406:6400::/32
• IRRd (IRR Daemon) supports service side set expansions (as-set and route-set)– whois -h whois.radb.net '!iAS-APNICTRAINING’[returns members of AS-APNICTRAINING as-set object]
• For details please check– https://www.apnic.net/apnic-info/whois_search/using-
whois/searching/query-options– http://www.radb.net/support/query2.php
whois -h whois.apnic.net -K 2406:6400::/32
whois -h whois.radb.net ‘!iAS-APNICTRAINING’
Whois & IRR Database
12This document is uncontrolled when printed. Before use, check the APNIC electronic master
document to verify that this is the current version.
• APNIC whois database also works as IRR database• Integrated APNIC whois database & Internet Routing
Registry
IRR
APNIC whoisIP, ASNs, reverse
domains, contacts, maintainers etc
routers, routing policy, filters, peers etc
Internet Resources & Routing Information
1/18/17
7
RPSL
• Routing Policy Specification Language• RPSL is object oriented
– These objects are registered in the Internet Routing Registry (IRR)– route, autonomous system, router, contact and set objects
• RIPE-81 was the first language deployed in the Internet for specifying routing policies– It was later replaced by RIPE-181– RPSL is a replacement for the RIPE-181 or RFC-1786– RPSL addresses RIPE-181's limitations
13This document is uncontrolled when printed. Before use, check the APNIC electronic master
document to verify that this is the current version.
What is RPSL
• Describes things interesting to routing policy – Prefixes – AS Numbers – Relationships between BGP peers – Management responsibility
• For more about RPSL– RFC-1786: RIPE-181 – RFC-2622: Routing Policy Specification Language – RFC-2650: Using RPSL in Practice – RFC-2726: PGP Authentication for RIPE Database Updates – RFC-2725: Routing Policy System Security – RFC-2769: Routing Policy System Replication – RFC-4012: Routing Policy System Replication next generation
14This document is uncontrolled when printed. Before use, check the APNIC electronic master
document to verify that this is the current version.
1/18/17
8
RPSL Objects
• RPSL objects are similar to RIPE-181 objects• Objects
– set of attributes
• Attributes– mandatory or optional– values: single, list, multiple
• Class “key”– set of attributes– usually one attribute has the same name as the object’s class– uniquely identify each object
• Class “key” = primary key – must be specified first
15This document is uncontrolled when printed. Before use, check the APNIC electronic master
document to verify that this is the current version.
RPSL Attributes
• Case insensitive • Value of an attribute has a type
– <object-name> – <as-number>– <ipv4-address> – <ipv6-address> – <address-prefix> – etc
• Complete list of attributes and types in RFC 2622– https://www.rfc-editor.org/rfc/rfc2622.txt
16This document is uncontrolled when printed. Before use, check the APNIC electronic master
document to verify that this is the current version.
1/18/17
9
APNIC Database Objects and Routing Registry Objects
17This document is uncontrolled when printed. Before use, check the APNIC electronic master
document to verify that this is the current version.
OBJECT PURPOSEperson Technical or administrative contacts responsible for an objectrole Technical or administrative contacts represented by a role,
performed by one or more peopleInetnum / inet6num
Allocation or assignment of IPv4 / IPv6 address space
aut-num Registered holder of an AS number and corresponding routing policy
route / route6 Single IPv4/IPv6 route injected into the Internet routing meshmntner Authorized agent to make changes to an objectas-set Collect together Autonomous Systems with shared propertiesroute-set Defines a set of routes prefixesfilter-set Defines a set of routes that are matched by a filter expression
Import and Export Attributes
18This document is uncontrolled when printed. Before use, check the APNIC electronic master
document to verify that this is the current version.
• You can document your routing policy in your aut-numobject in the APNIC Database: – Import lines describe what routes you accept from a neighbor and
what you do with them– Export lines describe which routes you announce to your neighbor
1/18/17
10
Routing Policy Scenarios
19This document is uncontrolled when printed. Before use, check the APNIC electronic master
document to verify that this is the current version.
Internet
Transit Provider
You
AS131107 DownstreamCustomer
AS17821
AS4608
aut-num: AS17821
import: from AS4608 accept ANYexport: to AS4608 announce AS17821 AS131107
import: from AS131107 accept AS131107export: to AS131107 announce ANY
import: from AS65543 accept AS65543export: to AS65543 announce AS17821 AS131107
AS65543
Peer
RPSL Tools
• IRRToolkit (written in C++)– http://irrtoolset.isc.org/
• Rpsltool (perl, using Template::Toolkit)– http://www.linux.it/~md/software
• IRR Power Tools (PHP)– http://sourceforge.net/projects/irrpt/
• BGPQ3 (C)– http://snar.spb.ru/prog/bgpq3/
• Filtergen (Level 3)– Online tool using whois protocol– whois -h filtergen.level3.net RIPE::ASxxxx
20This document is uncontrolled when printed. Before use, check the APNIC electronic master
document to verify that this is the current version.
1/18/17
11
Use of RPSL
• Use RtConfig to generate filters based on information stored in our routing registry– Avoid filter errors (typos)– Filters consistent with documented policy (need to get policy correct
though)– Engineers don’t need to understand filter rules (it just works :-)
• Some providers have own tools.
21This document is uncontrolled when printed. Before use, check the APNIC electronic master
document to verify that this is the current version.
IRRToolSet : Installation
• Dependency (Debian / Ubuntu)
• Installation
22
# wget ftp://ftp.isc.org/isc/IRRToolSet/IRRToolSet-5.0.1/irrtoolset-5.0.1.tar.gz# tar –zxvf irrtoolset-5.0.1.tar.gz# cd irrtoolset-5.0.1# ./configure# make# make install
# apt-get install build-essential libtool subversion bison flex libreadline-dev autoconf automake
For details : http://irrtoolset.isc.org/wiki/IRRToolSetInstallation
1/18/17
12
RtConfig command line options
• Defaults to using RADB – -h whois.ra.net / whois.radb.net– -p 43– Default protocol irrd
• For other RIR use protocol bird– -protocol bird/ripe
• Defaults to “cisco” style output– -config cisco / -config junos
• -s <list of IRR sources> – -s APNIC,RADB,RIPE
23
RtConfig Syntax
• import / export pair for each link; syntax
• Takes other command also
• And many more. But best thing to look
24
@RtConfig [import/export] <yourASN> <yourRouterIP> <neighbourASN> <neighbourRouterIP>
@RtConfig configureRouter <inet-rtr-name> @RtConfig static2bgp <ASN-1> <rtr-1> @RtConfg access_list filter <filter>
man rtconfig
1/18/17
13
IRRToolSet Cisco Examplebash-3.2$ rtconfig -protocol bird -config cisco -h whois.apnic.net
rtconfig> @RtConfig import AS17821 2406:6400:10::1 AS65001 2406:6400:10::2!no ipv6 access-list ipv6-500ipv6 access-list ipv6-500 permit 2406:6400:8000::/48 anyipv6 access-list ipv6-500 deny any any!no ip as-path access-list 500ip as-path access-list 500 permit ^(_65001)+$
<output truncated>
router bgp 17821!neighbor 2406:6400:10::2 remote-as 65001address-family ipv4no neighbor 2406:6400:10::2 activateaddress-family ipv6 unicastneighbor 2406:6400:10::2 activateneighbor 2406:6400:10::2 route-map AS65001-IN inexit
25
IRRToolSet JunOS Examplebash-3.2$ rtconfig -protocol bird -config junos -h whois.apnic.net
rtconfig> @RtConfig import AS17821 2406:6400:10::1 AS65001 2406:6400:10::2policy-options {
community community-1 members [17821:65001];as-path as-path-1 "( 65001)+";
<output truncated>
protocols {bgp {
group peer-2406:6400:10::2 {type external;peer-as 65001;neighbor 2406:6400:10::2 {
import policy_65001_1 ;family inet6 {
unicast;}
}}
}}
26
1/18/17
14
Getting the complete picture
• Automation relies on the IRR being complete– Not all resources are registered in an IRR– Not all information is correct
• Small mistakes can have a big impact– Check your output before using it
• Be prepared to make manual overrides– Help others by documenting your policy
27This document is uncontrolled when printed. Before use, check the APNIC electronic master
document to verify that this is the current version.
RPSL in summary
28This document is uncontrolled when printed. Before use, check the APNIC electronic master
document to verify that this is the current version.
1. Define Routing Policy 2. Create IRR Object/Objects
3. Run RtConfig to generate config 4. Push config to router/routers
1/18/17
15
Questions
• Please remember to fill out the feedback form– https://www.surveymonkey.com/r/a
pnic-20170118-eL2
• Slide handouts will be available after completing the survey
29
APNIC Helpdesk Chat
1/18/17
16
Thank You!END OF SESSION
31
Issue Date:
Revision:
www.facebook.com/APNIC
www.twitter.com/apnic
www.youtube.com/apnicmultimedia
www.flickr.com/apnic
www.weibo.com/APNICrir